package io.gravitee.am.gateway.handler.common.oauth2.impl;

import io.gravitee.am.common.exception.jwt.JWTException;
import io.gravitee.am.common.exception.oauth2.InvalidTokenException;
import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.gateway.handler.common.client.ClientSyncService;
import io.gravitee.am.gateway.handler.common.jwt.JWTService;
import io.gravitee.am.repository.oauth2.model.Token;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import java.time.Instant;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/oauth2/impl/BaseIntrospectionTokenService.class */
abstract class BaseIntrospectionTokenService {
    private static final Logger LOGGER = LoggerFactory.getLogger(BaseIntrospectionTokenService.class);
    private static final long OFFLINE_VERIFICATION_TIMER_SECONDS = 10;
    private final JWTService jwtService;
    private final ClientSyncService clientService;
    private final JWTService.TokenType tokenType;

    /* JADX INFO: Access modifiers changed from: package-private */
    public BaseIntrospectionTokenService(JWTService.TokenType tokenType, JWTService jWTService, ClientSyncService clientSyncService) {
        this.tokenType = tokenType;
        this.jwtService = jWTService;
        this.clientService = clientSyncService;
    }

    protected abstract Maybe<? extends Token> findByToken(String str);

    /* JADX INFO: Access modifiers changed from: protected */
    public Maybe<JWT> introspectToken(String str, boolean z) {
        return this.jwtService.decode(str, this.tokenType).flatMapMaybe(jwt -> {
            return this.clientService.findByDomainAndClientId(jwt.getDomain(), jwt.getAud());
        }).switchIfEmpty(Single.error(() -> {
            return new InvalidTokenException("Invalid or unknown client for this token");
        })).flatMap(client -> {
            return this.jwtService.decodeAndVerify(str, client, this.tokenType);
        }).toMaybe().flatMap(jwt2 -> {
            return (z || Instant.now().isBefore(Instant.ofEpochSecond(jwt2.getIat() + OFFLINE_VERIFICATION_TIMER_SECONDS))) ? Maybe.just(jwt2) : findByToken(jwt2.getJti()).switchIfEmpty(Maybe.error(() -> {
                return new InvalidTokenException("The token is invalid", "Token with JTI [" + jwt2.getJti() + "] not found in the database", jwt2);
            })).map(token -> {
                if (token.getExpireAt().before(new Date())) {
                    throw new InvalidTokenException("The token expired", "Token with JTI [" + jwt2.getJti() + "] is expired", jwt2);
                }
                return jwt2;
            });
        }).onErrorResumeNext(th -> {
            if (th instanceof JWTException) {
                LOGGER.debug("An error occurs while decoding JWT access token : {}", str, th);
                return Maybe.error(new InvalidTokenException(th.getMessage(), th));
            }
            if (th instanceof InvalidTokenException) {
                InvalidTokenException invalidTokenException = (InvalidTokenException) th;
                String details = invalidTokenException.getDetails();
                JWT jwt3 = invalidTokenException.getJwt();
                Logger logger = LOGGER;
                Object[] objArr = new Object[4];
                objArr[0] = str;
                objArr[1] = details != null ? details : "none";
                objArr[2] = jwt3 != null ? jwt3.toString() : "{}";
                objArr[3] = invalidTokenException;
                logger.debug("An error occurs while checking JWT access token validity: {}\n\t - details: {}\n\t - decoded jwt: {}", objArr);
            }
            return Maybe.error(th);
        });
    }
}
